Review: Trend Micro Deep Security 7.5

With the growing adoption of VMware View, as well as vCloud, the vShield line of products is gaining in popularity. In particular, the bundling of vShield Endpoint licenses with View Premier has given many customers who would otherwise install a full (and typically bloated) anti-virus package into their virtual desktops a viable alternative. In this article, I will focus on Trend Micro’s implementation of vShield Endpoint technology in securing both virtual desktop and server workloads on vSphere. Please note that this is not meant to be a complete review of the product. I’m not going to walk you through the complete installation process, nor am I going to cover operations extensively. I prefer to simply share my experiences, thoughts, and conclusions from my dealings with the product.

Trend Micro was the only launch partner for vShield Endpoint back at VMworld 2010, and unless something has been announced recently that I haven’t seen, Trend Micro has the only functional, production-ready vShield Endpoint solution. This is great for me, since the agency for which I work already uses Trend Micro Office Scan in their production environment.

I acquired the bits from Trend Micro and immediately went to push it out to my lab environment where both VMware View and Citrix XenDesktop were being evaluated. I went about following steps I read in both Trend Micro’s supplied materials, as well as some excellent blog posts at GeekSilver’s Blog.

As a note, I’ve already done all the boring stuff that nobody cares about but are prerequisites. If you want or need a step-by-step how-to, go ahead and read the blog links above. Don’t worry, I can wait. The boring stuff includes:

Set up vSphere 4.1u1 hosts

Set up vCenter Server 4.1u1

Enabled licenses for vShield Endpoint in vCenter Server

Deployed vShield Manager

Enabled vShield Endpoint on all hosts which Deep Security would be used

Created a database for Deep Security Manager on my SQL 2008 R2 platform

Spun up a Windows 2008 R2 VM and installed Deep Security Manager

After performing the steps above, I immediately encountered issues which, after much wailing and gnashing of teeth (read: a couple of hours worth of troubleshooting with my excellent Trend Micro technical account manager and a very astute support engineer with VMware Federal Support in Colorado), it became evident there was an issue with the default ESXi embedded image that IBM shipped with our HS22V blades which causes DVfilter to think that it’s not licensed properly, even with vSphere Enterprise Plus licenses applied.

After applying the requisite patches to my blades for what seemed like forever (a total of around 15 hours for 10 blades… seriously), I was ready to prepare my vSphere hosts. The process for this is quite simple, but I’ll outline it here.

There are, of course, a couple of Next buttons to click, but I don’t want to bore you with that. Others have outlined the installation process very well, and I don’t want to reinvent the wheel.

After this, you deploy the Trend Micro virtual appliance to the host you’ve just prepared. The process is similar to those before, i.e. right click, Deploy Appliance, so I won’t delve into it further here. There’s some configuration of the virtual appliance required, but it’s really just plugging in IP/ hostname info, along with DNS servers.

At this point, you’re ready to deploy some guests and have Deep Security Manager keep them in line. If you’re like me, you’ve probably already got hundreds (or thousands) of servers and desktops deployed in production, so moving from an in-guest anti-virus to an offloaded, virtual appliance-based solution where you have to install not one, but two agents (one Trend Micro, one VMware) within the guest operating system, is daunting. I’m not going to sugar coat this at all: migrating a ton of servers to this solution is not going to be easy. It’s going to be a long and arduous process. My best suggestion is to use something like Microsoft System Center Configuration Manager (SCCM) to package up the installers and push them out that way. When my agency moves to this type of solution in the future (if you’re reading this, coworkers, the writing’s on the wall), that’s probably the tack we’ll take. If you have a better solution, please respond in the comments section below (I’m reserving judgment on whether deploying this via ThinApp or the like is a good idea or not). Virtual desktops, on the other hand, are a different story.

You’ve by no doubt deployed your virtual desktops with VMware View using Linked Clones, which makes this kind of process about as painless as can be.

Power on your parent VM.

Uninstall whatever anti-virus solution you currently use.

Install vShield Endpoint thin agent.

Install Trend Micro Deep Security Agent.

Shut down, create a new snapshot of the parent VM, and recompose your pool(s).

All of your recomposed pools will now have desktops managed by Trend Micro Deep Security. Your scan times should roughly halve, plus you get the added bonus of hypervisor-level IPS/IDS, firewall, et cetera, et cetera.

Overall, I really like the idea of offloading ancillary tasks or duties that were traditionally in guest, be it backup with vStorage APIs for Data Protection or anti-virus with vShield Endpoint. I think Trend Micro and VMware have a really good set of complementary products in Deep Security and vShield Endpoint, and I hope both vendors continue to innovate in this arena. I would like to see some competing products from Symantec or the like to keep driving the industry in this area, but that we shall see.